Critical Firefox 3.5 bug discovered

US-CERT posted a warning yesterday, of a critical vulnerability affecting the recently launched Firefox 3.5. The bug is due to an error in the way JavaScript code is processed. By exploiting this anomaly, an attacker may be able to execute arbitrary code. Furthermore, exploit code is publicly available for this vulnerability.

Mozilla is aware of and has publicly acknowledged the issue on their blog. They say that the bug can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. Mozilla is working to fix the issue and a security update will be sent out when it’s ready.

For the time being, to mitigate the bug simply disable the Just-in-time (JIT) JavaScript engine. To accomplish this: Enter “about:config” in the address bar, type “jit” in the filter bar up top, and double-click the line containing “javascript.options.jit.content”, which should then have a value of “false”.

If that sounds a bit too troublesome, you can simply run Firefox in Safe Mode or even install an add-on like NoScript. Naturally, as soon as the fix is released, you can reverse any remedy.